Web Service Security — XKMS (TrustPoint)

Abstract

Web services have grown up and developed a considerable potential: They are based on an open, dynamic exchange of data. Their openness is their greatest plus and contributed to their wide acceptance. This openness, however, and the resulting lack of security is at the same time the barrier that prevents web services from being used on a broad basis. Web services have to become safe if they are to transmit sensitive data securely.

The prerequisites for the secure electronic exchange of data and information are confidentiality, integrity, and reliability. The adequate means to meet these demands are encryption and the digital signature on the basis of cryptographic methods. A Public Key Infrastructure (PKI) provides the adequate software, protocols, and standards. If web services are to be protected comprehensively and on the long run, a PKI is needed. Establishing and operating a PKI, however, is a complex task requiring different protocols on the client side — and not all application programs respectively application terminals are able to meet these requirements.

New approaches enable the easy communication with a PKI. Web services and the Simple Object Access Protocol (SOAP are easy means to make use of remote services within a Service Orientated Architecture (SOA). The XML Key Management Specification (XKMS defines a protocol with which keys can be validated and managed on the basis of XML via web services. The resulting advantages make using a PKI easier and leaner. In this work, the XKMS specification is introduced, its functional principle is explained, its advantages and disadvantages are described, and an insight is provided into the realization of a SKMS responder in the framework of the TrustPoint project.